Closed
Bug 1468087
Opened 6 years ago
Closed 6 years ago
IP Leak even after disabling WebRTC
Categories
(Core :: WebRTC: Networking, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: mishra.dhiraj95, Unassigned)
Details
(Keywords: privacy)
Attachments
(2 files)
PoC.PNG
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180517113820 Steps to reproduce: Hi Team, Tested On: Name Firefox Version 60.0.1 Build ID 20180517113820 User Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 OS Linux 4.13.0-43-generic Actual results: IP leak when WebRTC is enable is the well know functionality. However I went to about:config and set the value `false` for `media.peerconnection.enabled` Which means IP leakage should be prevented in this case, however I connected my system with GPRS no matter 3G/4G using hotspot and browse a website which was, http://fvideo.club/mf/vvas/lp.php?a=1113&c=11&s2={clickid}&s1={subaffiliate id} [This website will only function properly when browsed by 3G/4G] This is one for the VAS service which allow users to get subscribed and they will be charged based on their subscription pack. What i observed was while capturing the request of the above website it still take my public IP and forwardedIP to the server, I wonder if my WebRTC is disable still how my IP leaks via GET request. Request team to have a look and advise for same. Expected results: RAW Request, example which carries my IP address: GET /mf/vvas/towards_cg.php?mtxn=0696210ed69b709a6eb4xxxxxxxxxxxx&offer_id=17&pub_txn_id={clickid}&ho_txn_id={clickid}&aff_id=1113&aff_sub2=&source=&real_ip=42.10x.xxx.xxx&forwarded_ip=2402:3a80:646:3e21:ec42:xxx:xxxx:xxxx&lpts=20xxxxxxxxxxxx&lpimg=http://fvideo.club/mf/vvasCreative
|
||
Updated•6 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → WebRTC: Networking
Keywords: privacy
Product: Firefox → Core
|
|
||
Updated•6 years ago
|
Group: core-security → media-core-security
|
||
Comment 1•6 years ago
|
||
Note that your external IP address is always easy to find unless you use a VPN (and even then you must configure it correctly). i.e. a website can trivially set up a server at foo.com that when you load foo.com/getmyip.html returns the IP source address in the incoming packets. so the fact that your IP address is known to the JS doesn't say anything about where it got the address from. If you have information indicating that the disabling didn't work, please reopen or open a new bug with that information. Note: much of the press and hype around the "IP address leak" overstates the problem. The primary issue is with VPN users (especially misconfigured VPNs).
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
|
Reporter | |
Comment 2•6 years ago
|
||
Thank you Randell for clarification, However, I hosted a JS which gets PrivateIP address in this case i.e http://ch3114.com/getip.html after visiting that it gives a popup with my private IP now, I make `media.peerconnection.enabled` to `false` and browse to the above URL again and their is no leakage of my private IP. Now i connect to GPRS with the same setting in FF, and browse http://fvideo.club/mf/vvas/lp.php?a=1113&c=11&s2={clickid}&s1={subaffiliate id} what I observed was at certain request my privateIP is still traveled in a parameter forwarded_ip I just crossed check that in my phone i.e (Settings > About Phone > Status) my private IP was same which was traveling in above request in forwarded_ip parameter in GET request. However, if you remember our `media.peerconnection.enabled` was set to `false` in this still Private was transferred to the server. Request to please have a look and advise for same.
|
|
Reporter | |
Comment 3•6 years ago
|
||
This PoC is when WebRTC is disable but still my private IP is leaked.
|
|
Reporter | |
Comment 4•6 years ago
|
||
This PoC is from my phone which i crossed check for my private IP
|
|
||
Comment 5•6 years ago
|
||
So that url does include your local 10.* address -- however, I suspect (given this is a service only offered to GPRS users) that the ISP provides a URL that site can use to get the local IP of a GPRS user which is used to verify that the user is on GPRS. i.e. the do a GET to http://gprs-provider.com/verify-this-user-is-on-gprs and it returns "user-is-on-gprs, IP=10.x.x.x, external-ip=42.y.y.y" or "user-is-unknown". I.e. the ISP (which is the GPRS provider) also knows your local address. And they do do things like that - they have financial incentive to provide partners a way to verify if a user is on GPRS. If you were on your own NAT/router with a 192.x address, and *that* was shown, that would be a leak from somewhere, or the result of a complex script to infer your local address (which can be done, and some attacks in the field on routers do so) I hole that explains what's probably going on. You could look at the JS and figure out where it comes from, or run devtools and use a debugger to figure it out. It isn't webrtc, I'm sure. (and as I stated, the risk from WebRTC exposure of your local IP address is majorly over-hyped, and the risks that do matter are for users of (broken/poorly-configured) VPNs who are concerned with state authorities identifying their browsing behavior - and they can control that without turning off webrtc by using an extension that sets the IETF IP address mode prefs to something other than the default. (ublock does this, I believe) Local IP can add fingerprinting, though I think you'll find that your font list is far more problematic. Removing sec
Group: media-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•